You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Andrei Budnik (JIRA)" <ji...@apache.org> on 2019/03/30 11:17:00 UTC
[jira] [Commented] (MESOS-9693) Add master validation for
SeccompInfo.
[ https://issues.apache.org/jira/browse/MESOS-9693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16805771#comment-16805771 ]
Andrei Budnik commented on MESOS-9693:
--------------------------------------
> 2. at most one field of profile_name and unconfined should be set. better to validate in master
We have such a validation in `linux/seccomp` [isolator|https://github.com/apache/mesos/blob/9a6b3cb943fd1f8c9732cd5fb7d58a5b55c1460c/src/slave/containerizer/mesos/isolators/linux/seccomp.cpp#L102-L107].
> 1. if seccomp is not enabled, we should return failure if any fw specify seccompInfo and return appropriate status update.
There are 2 nuances that need to be taken into account.
Firstly, Seccomp isolator might be disabled on some particular agents. So, whether Seccomp is enabled or not can be detected at agent level rather than cluster-wide.
Secondly, we don't have a similar validation for other "unused" fields in ContainerInfo/LinuxInfo proto. E.g., a framework might specify `NetworkInfo network_infos` field in the `ContainerInfo`, but it will be ignored by an agent in case CNI and other `network_infos` consuming plugins are not enabled.
> Add master validation for SeccompInfo.
> --------------------------------------
>
> Key: MESOS-9693
> URL: https://issues.apache.org/jira/browse/MESOS-9693
> Project: Mesos
> Issue Type: Task
> Reporter: Gilbert Song
> Assignee: Andrei Budnik
> Priority: Major
>
> 1. if seccomp is not enabled, we should return failure if any fw specify seccompInfo and return appropriate status update.
> 2. at most one field of profile_name and unconfined should be set. better to validate in master
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)